Support updating registry credentials scoped to namespaces/repos #1288
Conversation
|
I was checking the functionality during my follow-up mentioned in #1278 (review). Looks like we're mostly set in c/image, whereas c/common would require some slight adaption to make login/logout work correctly. |
saschagrunert
force-pushed
the
login-logout-tests
branch
from
ce03f42 to
8fd6290
Compare
|
LGTM |
That’s not good, because the functions blindly send such values to credential helpers, which may work very badly (see https://issues.redhat.com/browse/RUN-1246?focusedCommentId=16344129&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16344129 ). Also, if we are not adding new functions, the documentation of WRT credential helpers, for now it would be consistent to just refuse to write namespaced credentials to them (and |
|
@mtrmac would it be better to normalize the input registry for every credentials helper other than |
|
If the user requests to record a login for IIRC from a quick skim, we already ~silently continue if a helper refuses data; so I think we can continue to do that and just refuse to even try with non- Non-blocking? It might be useful to provide a typed error for such a case, or at least to special-case the |
saschagrunert
force-pushed
the
login-logout-tests
branch
2 times, most recently
from
a12697b to
ecdb320
Compare
|
Added a new error type |
|
@saschagrunert looks like you need a rebase here. |
|
The branch is not on the latest master but I don't see any conflicts :) |
saschagrunert
changed the title
There was a problem hiding this comment.
I have troubles understanding the meaning of "namespaced registry". It mostly relates to using the "namespaced" adjective (all registries have namespaces) but also c/image usually uses "repo[sitory]" rather than "namespace".
I am also a bit worried of the implications of the new error. Can we be certain that registry+repo/path is not supported for creds helpers? I tried looking in the (scarse) docs (https://pkg.go.dev/github.com/docker/[email protected]/credentials#Credentials) but could not find much info on what a "ServerURL" is.
Yeah the key is not a “registry”, so a “namespaces registry” is not ideal. We should think of a name and use it consistently throughout.
containers-registries.conf(5) just define a similar syntax (but with leading wildcards) for the containers-policy.json(5) talks about “scopes” (but in a more generic transport-dependent way). I don’t have a good suggestion. “Credentials scope”? “Credential [storage] key”? Both are pretty bad.
See the various helper implementations in that repo:
For now this is already ~decided by #1278 , which does not call helpers for any non-registry keys, and this just does the same thing on the write path; if we don’t look for per-repo credentials in helpers, it doesn’t make much sense to report success on storing the credentials in those helpers. Though we can certainly revisit, and now before a release would be the best time :) |
|
Alright, just a few points are left open, mostly about the term "namespaced" and "registry". How about:
|
saschagrunert
force-pushed
the
login-logout-tests
branch
3 times, most recently
from
33a364e to
e1a9b66
Compare
There was a problem hiding this comment.
So that it isn’t forgotten, we will need a solution for namespaces-only logins, maybe containers/common#659 (comment) .
*shrug* works for me. @vrothberg ?
repositories and repository namespaces
If nothing is checking for that value (as is currently the case), maybe we can just not provide an API and this specific instance goes away (OTOH naming still affects most of the PR throughout anyway). |
|
SGTM |
mtrmac
changed the title
saschagrunert
force-pushed
the
login-logout-tests
branch
5 times, most recently
from
d41f449 to
0e01664
Compare
|
Implemented the review suggestions, PTAL @mtrmac @vrothberg |
There was a problem hiding this comment.
So that it isn’t forgotten, we will need a solution for namespaces-only logins, maybe containers/common#659 (comment) .
saschagrunert
force-pushed
the
login-logout-tests
branch
from
0e01664 to
6c25f71
Compare
|
@mtrmac thank you for the review! I addressed your requested changes, PTAL again. |
|
Couple small nits and you need to rebase @saschagrunert |
We now error on login if repositories or repository namespaces are used for other credential helpers than the `AuthenticationFileHelper`. On logout we ignore them and debug log a warning that nothing has been modified. The functions `SetCredentials` (for login) as well as `RemoveAuthentication` (for logout) already feature support for path based registries for the `AuthenticationFileHelper`. This patch adds unit tests to ensure that the support will not break in the future. Signed-off-by: Sascha Grunert <[email protected]>
saschagrunert
force-pushed
the
login-logout-tests
branch
from
6c25f71 to
2935f06
Compare
|
Rebased and addressed @TomSweeneyRedHat's comments. |
There was a problem hiding this comment.
LGTM. Thanks!
Are you planning to work on containers/common#659 (comment) as well, to make everything fit together?
| return nameParts[0] | ||
| } | ||
|
|
||
| // stripScheme striped the http|https scheme from the provided URL. | ||
| func stripScheme(url string) string { |
There was a problem hiding this comment.
(Non-blocking: This can be inlined back into its only caller.)
|
LGTM |
Yes, I’ll continue working on it next week. :) |
We now error on login if repositories or repository namespaces are used
for other credential helpers than the
AuthenticationFileHelper. Onlogout we ignore them and debug log a warning that nothing has been
modified.
The functions
SetCredentials(for login) as well asRemoveAuthentication(for logout) already feature support for pathbased registries for the
AuthenticationFileHelper. This patch addsunit tests to ensure that the support will not break in the future.
Refers to #1276